[OpenAFS] Distributing passwd

Derek Atkins warlord@MIT.EDU
12 Jun 2003 23:14:44 -0400


Charles Clancy <security@xauth.net> writes:

> There are a few attacks.
> 
> 1. dumping the passwd table (active)
>    typically, NIS servers will respond to any request from anywhere to
>    dump their tables -- list of valid usernames / encrypted passwords

not applicable in a Kerberos environment (no encrypted passwords).

> 2. sniffing (passive)
>    user on the subnet can sniff NIS queries that potentially contain
>    encrypted password information

also not applicable in a kerberos environment (see above).

> 3. man in the middle attacks
>    DOS the NIS server, while sending spoofed replies (it's UDP, easy
>    to spoof); server waits for joeuser to log in, and automatically
>    spoofs passwd entry "joeuser::0:0::/:/bin/sh"

Ok, this certainly can be an issue, but only in the sense of gaining
inappropriate local access.  In a Kerberos/AFS environment the only
thing you need to check for is UID=0 (as empty password doesn't
matter).  Does it really matter if a user logs in as UID=1023 or
UID=14273?

> Disabling passwordless login can hinder #3, but the attacker can just
> substitute the hash of a known password there.  #2 isn't worth worrying
> about.  #1 can be solved using ipchains, ipf, or whatever to block access
> from subnets that shouldn't have access.

Actually, nope, #3 isn't an issue in a Kerberos environment as I've
mentioned, because the password field in NIS is empty/ignored.

> So, this is getting a bit off-topic.

Agreed...  but my point is that in a combined NIS/Kerberos environment
most of the security flaws of NIS don't exist anymore.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available